Is any one else seing this alert - Shh/Updater-B False positives

SUICIDE!

I believe I received the new javab-jd.ide - but I don't know how to check if it is the latest version.

At any rate. I updated a test client and I was able to get the new  javab-jd.ide from the SEC but my quarantined list hasn't been cleared out yet.

Anyone know how to check version of javab-jd.ide?

I'll ask again, what can I do to over 100 clients that have quarantined their updater (servers mostly)

The dang software has just uninstalled itself and the shields are all gone. My users are freaking out!

Yup totally just got about 1500 email alerts in less than 40 minutes. 

I used Sophos Group Policy to disable messaging for the desktop clients. At least this way the end uses will stop panicking.

As everyone already know but Ill still post it. It is under:

Sophos Management Console > Policies Section > Anti-virus and HIPS > <Pick your policy> to Edit > Messaging > Desktop Messaging tab > Uncheck "Enable Desktop Messaging"

At least for our org I have also disabled Email alerts for the time being. Don’’’’t much care to be spammed. 

Now just waiting for the update. 

If you are unable to perform an update due to the Updating service being quarantined, but have NOT moved or deleted the files, you can do the following.

1. Open cmd prompt and type net stop savservice
2. Navigate to C:\program Files\Sophos\Sophos Anti-Virus and delete agen-xuv.exe
3. In cmd prompt, type net start savservice

If a large number of systems are affected, you can use a tool like PSEXEC to execute the commands on a text file list of systems. Please be sure to get your Sophos Update Manager server working first, as all managed endpoints will not be able to download the IDE until the Sophos Update Managers have pulled it from our databanks.

 Why would my default option for a detected virus be "do nothing?"  

Now I have to manually re-install this on 120+ systems (and climbing). And not a normal install, but a "sort out what's broken and then repair and replace as needed, then uninstall, then re-install, then re-apply the update" fix.

Your competitors just won our hearts and minds. Thanks for making our A/V decision so easy.

See previous post:

You don't have to manually re-install anything. Put the computers in their own OU and deploy a GPO to that OU....Done!

I email my Rep... and was told the following (Sophos rep)

YES, this is a FALSE POSITIVE issue on Sophos's screw up....

Here is the fix:

Below is some helpful information:

We are currently engaged with SophosLabs over a false positive relating to 'Shh/Updater-B', and I want to quickly let you know of this false positive, and that you do not have an outbreak.

If you have live protection enabled, you should stop seeing these detections as the files are now marked ‘‘‘‘clean’’’’ in the cloud. If you do not have LiveProtection enabled you will stop seeing the new detections come in after the next IDE is released (releasing now in agen-xuv.ide).

There is no cleanup for this detection, and you will see it quarantined unless you have your on-access policy set to move or delete detections if cleanup is not possible. Please double check your SAV policy under cleanup; You want to ensure your secondary option (when cleanup is not available or does not work) to be set to ‘‘‘‘deny access’’’’ and not delete or move. Once the detections have stopped, you can acknowledge the alerts in the Console, this way you can see who is still reporting it, and confirm it is trending down.